CVE-2026-42088
Published: 04 May 2026
Summary
CVE-2026-42088 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege by ensuring Script Runner executes Python and Ruby scripts without unnecessary permissions to access Redis database or buckets service.
Monitors and controls communications at Docker container boundaries to block unauthorized network access between Script Runner and other services like Redis and buckets.
Implements mechanisms to enforce access control policies, preventing scripts from bypassing API permissions checks via direct connections over the shared Docker network.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables Python script execution (T1059.006) in shared Docker network to bypass API checks for privilege escalation to admin (T1068), direct access to Redis secrets (T1552), and data from DB/bucket repositories (T1213.006).
NVD Description
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container.…
more
Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.
Deeper analysisAI
CVE-2026-42088 is a high-severity vulnerability (CVSS 9.6, AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) affecting OpenC3 COSMOS prior to version 7.0.0-rc3. The issue resides in the Script Runner widget within the openc3-COSMOS-script-runner-api Docker container, which enables users to execute Python and Ruby scripts. Due to all Docker containers sharing a network, these scripts can bypass API permissions checks, allowing unauthorized access to other services.
Any authenticated user with permission to create and run scripts can exploit this vulnerability remotely over the network. Successful exploitation grants administrative capabilities normally restricted to the Admin Console, including reading and modifying data in the Redis database to access secrets and alter COSMOS settings, as well as reading and writing to the buckets service containing configuration, log, and plugin files.
The vulnerability has been addressed in OpenC3 COSMOS version 7.0.0-rc3, as detailed in the project's release notes and GitHub Security Advisory GHSA-2wvh-87g2-89hr. Security practitioners should upgrade to the patched version to mitigate the risk, associated with CWE-250 (Execution with Unnecessary Privileges).
Details
- CWE(s)